diff mbox series

secdesc-ui.py: a UI to view the security descriptors on SMB2+ shares

Message ID 20190409023929.15098-2-lsahlber@redhat.com (mailing list archive)
State New, archived
Headers show
Series secdesc-ui.py | expand

Commit Message

Ronnie Sahlberg April 9, 2019, 2:39 a.m. UTC
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
---
 secdesc-ui.py | 437 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 437 insertions(+)
 create mode 100755 secdesc-ui.py

Comments

Pavel Shilovsky April 10, 2019, 7:33 p.m. UTC | #1
пн, 8 апр. 2019 г. в 19:44, Ronnie Sahlberg <lsahlber@redhat.com>:
>
> Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
> ---
>  secdesc-ui.py | 437 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 437 insertions(+)
>  create mode 100755 secdesc-ui.py
>
> diff --git a/secdesc-ui.py b/secdesc-ui.py
> new file mode 100755
> index 0000000..26db582
> --- /dev/null
> +++ b/secdesc-ui.py
> @@ -0,0 +1,437 @@
> +#!/usr/bin/env python
> +# coding: utf-8
> +
> +import array
> +import enum
> +import fcntl
> +import os
> +import struct
> +import stat
> +import sys
> +from Tkinter import *
> +
> +FULL_CONTROL = 0x001f01ff
> +EWRITE = 0x00000116
> +ALL_READ_BITS = 0x00020089
> +EREAD = 0x001200a9
> +CHANGE = 0x001301bf
> +
> +TRAV_EXEC = 0x00100020
> +LIST_READ = 0x00100001
> +READ_ATTR = 0x00100080
> +READ_XATT = 0x00100008
> +CREA_WRIT = 0x00100002
> +CREA_APPE = 0x00100004
> +WRIT_ATTR = 0x00100100
> +WRIT_XATT = 0x00100010
> +DELE = 0x00110000
> +READ_PERM = 0x00120000
> +CHAN_PERM = 0x00140000
> +TAKE_OWNR = 0x00180000
> +
> +class App:
> +       def __init__(self, root, sd, is_dir):
> +               self.sd = sd
> +                self.is_dir = is_dir
> +               self.tf = Frame(bd=1)
> +               self.tf.grid(columnspan=5, rowspan=5, padx=5, pady=5)
> +
> +               # Owner
> +               Label(self.tf, text='Owner: %s' % (self.sd.owner)).grid(row=0, column=0, columnspan=6, sticky='W')
> +
> +               # Group
> +               Label(self.tf, text='Group: %s' % (self.sd.group)).grid(row=1, column=0, columnspan=6, sticky='W')
> +
> +               self.sb = Scrollbar(self.tf, orient=VERTICAL)
> +               self.lb = Listbox(self.tf, height=5, selectmode=SINGLE,
> +                               yscrollcommand=self.sb.set)
> +               self.sb.config(command=self.lb.yview)
> +               self.sb.grid(row=2, column=1, sticky='NS')
> +               self.lb.grid(row=2, column=0, sticky='W')
> +
> +                max = 0
> +               for idx, item in enumerate(self.sd.dacl.ace):
> +                       if item.type != 0 and item.type != 1:
> +                               continue
> +                        sid = '%s %s' % ("ALLOW" if item.type == 0 else "DENY", item.sid)
> +                        if max > len(sid):
> +                                max = len(sid)
> +                       self.lb.insert(idx, sid)
> +                       if not self.lb.curselection():
> +                               self.lb.selection_set(idx)
> +                self.lb.config(width=max)
> +                self.lb.bind("<Double-Button-1>", self.select_sid)
> +
> +               self.bas = Button(self.tf, text='Basic', relief=SUNKEN,
> +                       command=self.click_bas)
> +               self.bas.grid(row=2, column=2, sticky='NW')
> +
> +               self.adv = Button(self.tf, text='Advanced',
> +                       command=self.click_adv)
> +               self.adv.grid(row=2, column=3, sticky='NW')
> +
> +               # Basic Panel
> +               self.bf_bas = Frame(master=self.tf, bd=1)
> +               self.bf_bas.grid(row=3, column=0, columnspan=4, padx=5, pady=5)
> +               self.bf_bas_name = Label(self.bf_bas, text='')
> +               self.bf_bas_name.grid(row=0, column=0, columnspan=2, sticky='W')
> +
> +                row = 1
> +               self.bf_bas_fc=Checkbutton(self.bf_bas, text='Full Control')
> +               self.bf_bas_fc.grid(row=row, column=0, sticky='W')
> +               self.bf_bas_fc.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_bas_mo=Checkbutton(self.bf_bas, text='Modify')
> +               self.bf_bas_mo.grid(row=row, column=0, sticky='W')
> +               self.bf_bas_mo.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_bas_re=Checkbutton(self.bf_bas, text='Read & Execute')
> +               self.bf_bas_re.grid(row=row, column=0, sticky='W')
> +               self.bf_bas_re.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_bas_rd=Checkbutton(self.bf_bas, text='Read')
> +               self.bf_bas_rd.grid(row=row, column=0, sticky='W')
> +               self.bf_bas_rd.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_bas_wr=Checkbutton(self.bf_bas, text='Write')
> +               self.bf_bas_wr.grid(row=row, column=0, sticky='W')
> +               self.bf_bas_wr.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_bas_sp=Checkbutton(self.bf_bas, text='Special')
> +               self.bf_bas_sp.grid(row=row, column=0, sticky='W')
> +               self.bf_bas_sp.config(state=DISABLED)
> +                row += 1
> +
> +               self.show_bas = True
> +               self.update_bf_bas()
> +
> +               # Advanced Panel
> +               self.bf_adv = Frame(master=self.tf, bd=1)
> +               self.bf_adv.grid(row=3, column=0, columnspan=4, padx=5, pady=5)
> +               self.bf_adv_name = Label(self.bf_adv, text='')
> +               self.bf_adv_name.grid(row=0, column=0, columnspan=2, sticky='W')
> +
> +                row = 1
> +               self.bf_adv_fc=Checkbutton(self.bf_adv, text='Full Control')
> +               self.bf_adv_fc.grid(row=row, column=0, sticky='W')
> +               self.bf_adv_fc.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_te=Checkbutton(self.bf_adv, text='Traverse-folder/execute-file')
> +               self.bf_adv_te.grid(row=row, column=0, sticky='W')
> +               self.bf_adv_te.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_lr=Checkbutton(self.bf_adv, text='List-folder/read-data')
> +               self.bf_adv_lr.grid(row=row, column=0, sticky='W')
> +               self.bf_adv_lr.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_ra=Checkbutton(self.bf_adv, text='Read-Attributes')
> +               self.bf_adv_ra.grid(row=row, column=0, sticky='W')
> +               self.bf_adv_ra.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_re=Checkbutton(self.bf_adv, text='Read-Extended-Attributes')
> +               self.bf_adv_re.grid(row=row, column=0, sticky='W')
> +               self.bf_adv_re.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_cw=Checkbutton(self.bf_adv, text='Create-files/write-data')
> +               self.bf_adv_cw.grid(row=row, column=0, sticky='W')
> +               self.bf_adv_cw.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_ca=Checkbutton(self.bf_adv, text='Create-folders/append-data')
> +               self.bf_adv_ca.grid(row=row, column=0, sticky='W')
> +               self.bf_adv_ca.config(state=DISABLED)
> +                row += 1
> +
> +                row = 1
> +               self.bf_adv_wa=Checkbutton(self.bf_adv, text='Write-Attributes')
> +               self.bf_adv_wa.grid(row=row, column=1, sticky='W')
> +               self.bf_adv_wa.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_we=Checkbutton(self.bf_adv, text='Write-Extended-Attributes')
> +               self.bf_adv_we.grid(row=row, column=1, sticky='W')
> +               self.bf_adv_we.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_de=Checkbutton(self.bf_adv, text='Delete')
> +               self.bf_adv_de.grid(row=row, column=1, sticky='W')
> +               self.bf_adv_de.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_rp=Checkbutton(self.bf_adv, text='Read-Permissions')
> +               self.bf_adv_rp.grid(row=row, column=1, sticky='W')
> +               self.bf_adv_rp.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_cp=Checkbutton(self.bf_adv, text='Change-Permissions')
> +               self.bf_adv_cp.grid(row=row, column=1, sticky='W')
> +               self.bf_adv_cp.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv_to=Checkbutton(self.bf_adv, text='Take-Ownership')
> +               self.bf_adv_to.grid(row=row, column=1, sticky='W')
> +               self.bf_adv_to.config(state=DISABLED)
> +                row += 1
> +
> +               self.bf_adv.grid_remove()
> +
> +       def select_sid(self, event):
> +                self.click_bas()
> +
> +       def click_bas(self):
> +               self.adv.config(relief=RAISED)
> +               self.bas.config(relief=SUNKEN)
> +               self.bf_adv.grid_remove()
> +               self.update_bf_bas()
> +               self.bf_bas.grid()
> +               self.show_bas = True
> +
> +       def click_adv(self):
> +               self.adv.config(relief=SUNKEN)
> +               self.bas.config(relief=RAISED)
> +               self.bf_bas.grid_remove()
> +               self.update_bf_adv()
> +               self.bf_adv.grid()
> +               self.show_bas = False
> +
> +       def update_bf_adv(self):
> +               ace = self.sd.dacl.ace[self.lb.curselection()[0]]
> +               self.bf_adv_name.config(text='Advanced Permissions for %s' % (ace.sid))
> +               if ace.mask == FULL_CONTROL:
> +                       self.bf_adv_fc.select()
> +               else:
> +                       self.bf_adv_fc.deselect()
> +               if ace.mask & TRAV_EXEC == TRAV_EXEC:
> +                       self.bf_adv_te.select()
> +               else:
> +                       self.bf_adv_te.deselect()
> +               if ace.mask & LIST_READ == LIST_READ:
> +                       self.bf_adv_lr.select()
> +               else:
> +                       self.bf_adv_lr.deselect()
> +               if ace.mask & READ_ATTR == READ_ATTR:
> +                       self.bf_adv_ra.select()
> +               else:
> +                       self.bf_adv_ra.deselect()
> +               if ace.mask & READ_XATT == READ_XATT:
> +                       self.bf_adv_re.select()
> +               else:
> +                       self.bf_adv_re.deselect()
> +               if ace.mask & CREA_WRIT == CREA_WRIT:
> +                       self.bf_adv_cw.select()
> +               else:
> +                       self.bf_adv_cw.deselect()
> +               if ace.mask & CREA_APPE == CREA_APPE:
> +                       self.bf_adv_ca.select()
> +               else:
> +                       self.bf_adv_ca.deselect()
> +               if ace.mask & WRIT_ATTR == WRIT_ATTR:
> +                       self.bf_adv_wa.select()
> +               else:
> +                       self.bf_adv_wa.deselect()
> +               if ace.mask & WRIT_XATT == WRIT_XATT:
> +                       self.bf_adv_we.select()
> +               else:
> +                       self.bf_adv_we.deselect()
> +               if ace.mask & DELE == DELE:
> +                       self.bf_adv_de.select()
> +               else:
> +                       self.bf_adv_de.deselect()
> +               if ace.mask & READ_PERM == READ_PERM:
> +                       self.bf_adv_rp.select()
> +               else:
> +                       self.bf_adv_rp.deselect()
> +               if ace.mask & CHAN_PERM == CHAN_PERM:
> +                       self.bf_adv_rp.select()
> +               else:
> +                       self.bf_adv_rp.deselect()
> +               if ace.mask & TAKE_OWNR == TAKE_OWNR:
> +                       self.bf_adv_to.select()
> +               else:
> +                       self.bf_adv_to.deselect()
> +
> +       def update_bf_bas(self):
> +               ace = self.sd.dacl.ace[self.lb.curselection()[0]]
> +               self.bf_bas_name.config(text='Permissions for %s' % (ace.sid))
> +               tmp = ace.mask
> +               if ace.mask == FULL_CONTROL:
> +                       self.bf_bas_fc.select()
> +                       tmp &= ~FULL_CONTROL
> +               else:
> +                       self.bf_bas_fc.deselect()
> +               if ace.mask & CHANGE == CHANGE:
> +                       self.bf_bas_mo.select()
> +                       tmp &= ~CHANGE
> +               else:
> +                       self.bf_bas_mo.deselect()
> +               if ace.mask & EREAD == EREAD:
> +                       self.bf_bas_re.select()
> +                       tmp &= ~EREAD
> +               else:
> +                       self.bf_bas_re.deselect()
> +               if ace.mask & ALL_READ_BITS == ALL_READ_BITS:
> +                       self.bf_bas_rd.select()
> +                       tmp &= ~ALL_READ_BITS
> +               else:
> +                       self.bf_bas_rd.deselect()
> +               if ace.mask & EWRITE == EWRITE:
> +                       self.bf_bas_wr.select()
> +                       tmp &= ~EWRITE
> +               else:
> +                       self.bf_bas_wr.deselect()
> +               if tmp:
> +                       self.bf_bas_sp.select()
> +               else:
> +                       self.bf_bas_sp.deselect()
> +
> +CIFS_QUERY_INFO = 0xc018cf07
> +
> +def usage():
> +        print "Usage: %s <filename>" % (sys.argv[0])
> +        sys.exit()
> +
> +
> +class SID:
> +        '''
> +        SID implements a Windows Security Identifier as per MS-DTYP:2.4.2.
> +        '''
> +        def __init__(self, buf):
> +                self.sub_authority_count = buf[1]
> +                self.buffer = buf[:8 + self.sub_authority_count * 4]
> +                self.revision = self.buffer[0]
> +                if self.revision != 1:
> +                        raise ValueError('SID Revision %d not supported' %
> +                                         (self.revision))
> +                self.identifier_authority = 0
> +                for x in self.buffer[2:8]:
> +                        self.identifier_authority = self.identifier_authority * 256 + x
> +                self.sub_authority = []
> +                for i in range(self.sub_authority_count):
> +                        self.sub_authority.append(struct.unpack_from('<I', self.buffer, 8 + 4 * i)[0])
> +
> +        def __str__(self):
> +                s = "S-%u-%u" % (self.revision, self.identifier_authority)
> +
> +                for x in self.sub_authority:
> +                        s += '-%u' % x
> +                return s
> +
> +
> +class ACE:
> +        '''
> +        ACE implements a Windows ACE as per MS-DTYP:2.4.4.
> +        '''
> +        def __init__(self, buf):
> +                self.type = buf[0]
> +                self.flags = buf[1]
> +                self.size = struct.unpack_from('<H', buf, 2)[0]
> +                self.raw = buf[:self.size]
> +                if self.type in [0, 1]:
> +                        self.mask = struct.unpack_from('<I', buf, 4)[0]
> +                        self.sid = SID(buf[8:])
> +
> +        def __str__(self):
> +                s = 'Type:0x%02x ' % (self.type)
> +                s += 'Flags:0x%02x ' % (self.flags)
> +                if self.type in [0, 1]:
> +                        s += 'Mask:0x%02x SID:%s' % (self.mask, self.sid)
> +                else:
> +                        for i in self.raw[4:]:
> +                                s += '%02x' % (i)
> +
> +                return s
> +
> +        class Type(enum.Enum):
> +                ALLOWED = 0
> +                DENIED = 1
> +
> +                def __str__(self):
> +                        return self.name
> +
> +
> +class ACL:
> +        '''
> +        ACL implements a Windows ACL as per MS-DTYP:2.4.5.
> +        '''
> +        def __init__(self, buf):
> +                self.revision = buf[0]
> +                if self.revision != 2 and self.revision != 4:
> +                        raise ValueError('ACL Revision %d '
> +                                         'not supported' % (self.revision))
> +                acl = buf[8:8 + struct.unpack_from('<H', buf, 2)[0]]
> +                self.ace = []
> +                for i in range(struct.unpack_from('<H', buf, 4)[0]):
> +                        ace = ACE(acl)
> +                        self.ace.append(ace)
> +                        acl = acl[ace.size:]
> +
> +        def __str__(self):
> +                s = 'Revision:0x%02x\n' % (self.revision)
> +                for ace in self.ace:
> +                        s += '%s\n' % (ace)
> +                return s
> +
> +
> +class SecurityDescriptor:
> +        '''
> +        SecurityDescriptor implements a Windows Security Descriptor as per
> +        MS-DTYP:2.4.6.
> +        '''
> +        def __init__(self, buf):
> +                self.revision = buf[0]
> +                if self.revision != 1:
> +                        raise ValueError('Security Descriptor Revision %d '
> +                                         'not supported' % (self.revision))
> +                self.control = struct.unpack_from('<H', buf, 2)
> +
> +                self.owner = SID(buf[struct.unpack_from('<I', buf, 4)[0]:])
> +                self.group = SID(buf[struct.unpack_from('<I', buf, 8)[0]:])
> +
> +                self.dacl = ACL(buf[struct.unpack_from('<I', buf, 16)[0]:])
> +
> +        def __str__(self):
> +                s = 'Revision:%u\n' % (self.revision)
> +                s += 'Control:0x%04x\n' % (self.control)
> +                s += 'Owner:%s\n' % (self.owner)
> +                s += 'Group:%s\n' % (self.group)
> +                s += 'DACL:\n%s' % (self.dacl)
> +                return s
> +
> +
> +def main():
> +        if len(sys.argv) != 2:
> +                usage()
> +
> +        buf = array.array('B', [0] * 16384)
> +
> +        struct.pack_into('<I', buf, 0, 3) # InfoType: Security
> +        struct.pack_into('<I', buf, 8, 7) # AddInfo: Group/Owner/Dacl
> +        struct.pack_into('<I', buf, 16, 16384) # InputBufferLength
> +
> +        f = os.open(sys.argv[1], os.O_RDONLY)
> +        st = os.fstat(f)
> +        fcntl.ioctl(f, CIFS_QUERY_INFO, buf, 1)
> +       os.close(f)
> +
> +        s = struct.unpack_from('<I', buf, 16)
> +
> +        sd = SecurityDescriptor(buf[24:24 + s[0]])
> +
> +        root = Tk()
> +        app = App(root, sd, stat.S_ISDIR(st.st_mode))
> +        root.mainloop()
> +
> +
> +if __name__ == "__main__":
> +       main()
> +
> --
> 2.13.6
>

Fixed minor code style problems and merged. Thanks.

https://github.com/piastry/cifs-utils/commit/0009157e9db4dc1f9f8ab66feebea2d7d12014b1

--
Best regards,
Pavel Shilovsky
diff mbox series

Patch

diff --git a/secdesc-ui.py b/secdesc-ui.py
new file mode 100755
index 0000000..26db582
--- /dev/null
+++ b/secdesc-ui.py
@@ -0,0 +1,437 @@ 
+#!/usr/bin/env python
+# coding: utf-8
+
+import array
+import enum
+import fcntl
+import os
+import struct
+import stat
+import sys
+from Tkinter import *
+
+FULL_CONTROL = 0x001f01ff
+EWRITE = 0x00000116
+ALL_READ_BITS = 0x00020089
+EREAD = 0x001200a9
+CHANGE = 0x001301bf
+
+TRAV_EXEC = 0x00100020
+LIST_READ = 0x00100001
+READ_ATTR = 0x00100080
+READ_XATT = 0x00100008
+CREA_WRIT = 0x00100002
+CREA_APPE = 0x00100004
+WRIT_ATTR = 0x00100100
+WRIT_XATT = 0x00100010
+DELE = 0x00110000
+READ_PERM = 0x00120000
+CHAN_PERM = 0x00140000
+TAKE_OWNR = 0x00180000
+
+class App:
+	def __init__(self, root, sd, is_dir):
+		self.sd = sd
+                self.is_dir = is_dir
+		self.tf = Frame(bd=1)
+		self.tf.grid(columnspan=5, rowspan=5, padx=5, pady=5)
+
+		# Owner
+		Label(self.tf, text='Owner: %s' % (self.sd.owner)).grid(row=0, column=0, columnspan=6, sticky='W')
+
+		# Group 
+		Label(self.tf, text='Group: %s' % (self.sd.group)).grid(row=1, column=0, columnspan=6, sticky='W')
+
+		self.sb = Scrollbar(self.tf, orient=VERTICAL)
+		self.lb = Listbox(self.tf, height=5, selectmode=SINGLE,
+				yscrollcommand=self.sb.set)
+		self.sb.config(command=self.lb.yview)
+		self.sb.grid(row=2, column=1, sticky='NS')
+		self.lb.grid(row=2, column=0, sticky='W')
+
+                max = 0
+		for idx, item in enumerate(self.sd.dacl.ace):
+			if item.type != 0 and item.type != 1:
+				continue
+                        sid = '%s %s' % ("ALLOW" if item.type == 0 else "DENY", item.sid)
+                        if max > len(sid):
+                                max = len(sid)
+			self.lb.insert(idx, sid)
+			if not self.lb.curselection():
+				self.lb.selection_set(idx)
+                self.lb.config(width=max)
+                self.lb.bind("<Double-Button-1>", self.select_sid)
+
+		self.bas = Button(self.tf, text='Basic', relief=SUNKEN,
+			command=self.click_bas)
+		self.bas.grid(row=2, column=2, sticky='NW')
+
+		self.adv = Button(self.tf, text='Advanced',
+			command=self.click_adv)
+		self.adv.grid(row=2, column=3, sticky='NW')
+
+		# Basic Panel
+		self.bf_bas = Frame(master=self.tf, bd=1)
+		self.bf_bas.grid(row=3, column=0, columnspan=4, padx=5, pady=5)
+		self.bf_bas_name = Label(self.bf_bas, text='')
+		self.bf_bas_name.grid(row=0, column=0, columnspan=2, sticky='W')
+
+                row = 1
+		self.bf_bas_fc=Checkbutton(self.bf_bas, text='Full Control')
+		self.bf_bas_fc.grid(row=row, column=0, sticky='W')
+		self.bf_bas_fc.config(state=DISABLED)
+                row += 1
+
+		self.bf_bas_mo=Checkbutton(self.bf_bas, text='Modify')
+		self.bf_bas_mo.grid(row=row, column=0, sticky='W')
+		self.bf_bas_mo.config(state=DISABLED)
+                row += 1
+
+		self.bf_bas_re=Checkbutton(self.bf_bas, text='Read & Execute')
+		self.bf_bas_re.grid(row=row, column=0, sticky='W')
+		self.bf_bas_re.config(state=DISABLED)
+                row += 1
+
+		self.bf_bas_rd=Checkbutton(self.bf_bas, text='Read')
+		self.bf_bas_rd.grid(row=row, column=0, sticky='W')
+		self.bf_bas_rd.config(state=DISABLED)
+                row += 1
+
+		self.bf_bas_wr=Checkbutton(self.bf_bas, text='Write')
+		self.bf_bas_wr.grid(row=row, column=0, sticky='W')
+		self.bf_bas_wr.config(state=DISABLED)
+                row += 1
+
+		self.bf_bas_sp=Checkbutton(self.bf_bas, text='Special')
+		self.bf_bas_sp.grid(row=row, column=0, sticky='W')
+		self.bf_bas_sp.config(state=DISABLED)
+                row += 1
+
+		self.show_bas = True
+		self.update_bf_bas()
+	
+		# Advanced Panel	
+		self.bf_adv = Frame(master=self.tf, bd=1)
+		self.bf_adv.grid(row=3, column=0, columnspan=4, padx=5, pady=5)
+		self.bf_adv_name = Label(self.bf_adv, text='')
+		self.bf_adv_name.grid(row=0, column=0, columnspan=2, sticky='W')
+                
+                row = 1
+		self.bf_adv_fc=Checkbutton(self.bf_adv, text='Full Control')
+		self.bf_adv_fc.grid(row=row, column=0, sticky='W')
+		self.bf_adv_fc.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_te=Checkbutton(self.bf_adv, text='Traverse-folder/execute-file')
+		self.bf_adv_te.grid(row=row, column=0, sticky='W')
+		self.bf_adv_te.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_lr=Checkbutton(self.bf_adv, text='List-folder/read-data')
+		self.bf_adv_lr.grid(row=row, column=0, sticky='W')
+		self.bf_adv_lr.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_ra=Checkbutton(self.bf_adv, text='Read-Attributes')
+		self.bf_adv_ra.grid(row=row, column=0, sticky='W')
+		self.bf_adv_ra.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_re=Checkbutton(self.bf_adv, text='Read-Extended-Attributes')
+		self.bf_adv_re.grid(row=row, column=0, sticky='W')
+		self.bf_adv_re.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_cw=Checkbutton(self.bf_adv, text='Create-files/write-data')
+		self.bf_adv_cw.grid(row=row, column=0, sticky='W')
+		self.bf_adv_cw.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_ca=Checkbutton(self.bf_adv, text='Create-folders/append-data')
+		self.bf_adv_ca.grid(row=row, column=0, sticky='W')
+		self.bf_adv_ca.config(state=DISABLED)
+                row += 1
+
+                row = 1
+		self.bf_adv_wa=Checkbutton(self.bf_adv, text='Write-Attributes')
+		self.bf_adv_wa.grid(row=row, column=1, sticky='W')
+		self.bf_adv_wa.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_we=Checkbutton(self.bf_adv, text='Write-Extended-Attributes')
+		self.bf_adv_we.grid(row=row, column=1, sticky='W')
+		self.bf_adv_we.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_de=Checkbutton(self.bf_adv, text='Delete')
+		self.bf_adv_de.grid(row=row, column=1, sticky='W')
+		self.bf_adv_de.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_rp=Checkbutton(self.bf_adv, text='Read-Permissions')
+		self.bf_adv_rp.grid(row=row, column=1, sticky='W')
+		self.bf_adv_rp.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_cp=Checkbutton(self.bf_adv, text='Change-Permissions')
+		self.bf_adv_cp.grid(row=row, column=1, sticky='W')
+		self.bf_adv_cp.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv_to=Checkbutton(self.bf_adv, text='Take-Ownership')
+		self.bf_adv_to.grid(row=row, column=1, sticky='W')
+		self.bf_adv_to.config(state=DISABLED)
+                row += 1
+
+		self.bf_adv.grid_remove()
+
+	def select_sid(self, event):
+                self.click_bas()
+
+	def click_bas(self):
+		self.adv.config(relief=RAISED)
+		self.bas.config(relief=SUNKEN)
+		self.bf_adv.grid_remove()
+		self.update_bf_bas()
+		self.bf_bas.grid()
+		self.show_bas = True
+
+	def click_adv(self):
+		self.adv.config(relief=SUNKEN)
+		self.bas.config(relief=RAISED)
+		self.bf_bas.grid_remove()
+		self.update_bf_adv()
+		self.bf_adv.grid()
+		self.show_bas = False
+
+	def update_bf_adv(self):
+		ace = self.sd.dacl.ace[self.lb.curselection()[0]]
+		self.bf_adv_name.config(text='Advanced Permissions for %s' % (ace.sid))
+		if ace.mask == FULL_CONTROL:
+			self.bf_adv_fc.select()
+		else:
+			self.bf_adv_fc.deselect()
+		if ace.mask & TRAV_EXEC == TRAV_EXEC:
+			self.bf_adv_te.select()
+		else:
+			self.bf_adv_te.deselect()
+		if ace.mask & LIST_READ == LIST_READ:
+			self.bf_adv_lr.select()
+		else:
+			self.bf_adv_lr.deselect()
+		if ace.mask & READ_ATTR == READ_ATTR:
+			self.bf_adv_ra.select()
+		else:
+			self.bf_adv_ra.deselect()
+		if ace.mask & READ_XATT == READ_XATT:
+			self.bf_adv_re.select()
+		else:
+			self.bf_adv_re.deselect()
+		if ace.mask & CREA_WRIT == CREA_WRIT:
+			self.bf_adv_cw.select()
+		else:
+			self.bf_adv_cw.deselect()
+		if ace.mask & CREA_APPE == CREA_APPE:
+			self.bf_adv_ca.select()
+		else:
+			self.bf_adv_ca.deselect()
+		if ace.mask & WRIT_ATTR == WRIT_ATTR:
+			self.bf_adv_wa.select()
+		else:
+			self.bf_adv_wa.deselect()
+		if ace.mask & WRIT_XATT == WRIT_XATT:
+			self.bf_adv_we.select()
+		else:
+			self.bf_adv_we.deselect()
+		if ace.mask & DELE == DELE:
+			self.bf_adv_de.select()
+		else:
+			self.bf_adv_de.deselect()
+		if ace.mask & READ_PERM == READ_PERM:
+			self.bf_adv_rp.select()
+		else:
+			self.bf_adv_rp.deselect()
+		if ace.mask & CHAN_PERM == CHAN_PERM:
+			self.bf_adv_rp.select()
+		else:
+			self.bf_adv_rp.deselect()
+		if ace.mask & TAKE_OWNR == TAKE_OWNR:
+			self.bf_adv_to.select()
+		else:
+			self.bf_adv_to.deselect()
+
+	def update_bf_bas(self):
+		ace = self.sd.dacl.ace[self.lb.curselection()[0]]
+		self.bf_bas_name.config(text='Permissions for %s' % (ace.sid))
+		tmp = ace.mask
+		if ace.mask == FULL_CONTROL:
+			self.bf_bas_fc.select()
+			tmp &= ~FULL_CONTROL
+		else:
+			self.bf_bas_fc.deselect()
+		if ace.mask & CHANGE == CHANGE:
+			self.bf_bas_mo.select()
+			tmp &= ~CHANGE
+		else:
+			self.bf_bas_mo.deselect()
+		if ace.mask & EREAD == EREAD:
+			self.bf_bas_re.select()
+			tmp &= ~EREAD
+		else:
+			self.bf_bas_re.deselect()
+		if ace.mask & ALL_READ_BITS == ALL_READ_BITS:
+			self.bf_bas_rd.select()
+			tmp &= ~ALL_READ_BITS
+		else:
+			self.bf_bas_rd.deselect()
+		if ace.mask & EWRITE == EWRITE:
+			self.bf_bas_wr.select()
+			tmp &= ~EWRITE
+		else:
+			self.bf_bas_wr.deselect()
+		if tmp:
+			self.bf_bas_sp.select()
+		else:
+			self.bf_bas_sp.deselect()
+
+CIFS_QUERY_INFO = 0xc018cf07
+
+def usage():
+        print "Usage: %s <filename>" % (sys.argv[0])
+        sys.exit()
+
+
+class SID:
+        '''
+        SID implements a Windows Security Identifier as per MS-DTYP:2.4.2.
+        '''
+        def __init__(self, buf):
+                self.sub_authority_count = buf[1]
+                self.buffer = buf[:8 + self.sub_authority_count * 4]
+                self.revision = self.buffer[0]
+                if self.revision != 1:
+                        raise ValueError('SID Revision %d not supported' %
+                                         (self.revision))
+                self.identifier_authority = 0
+                for x in self.buffer[2:8]:
+                        self.identifier_authority = self.identifier_authority * 256 + x
+                self.sub_authority = []
+                for i in range(self.sub_authority_count):
+                        self.sub_authority.append(struct.unpack_from('<I', self.buffer, 8 + 4 * i)[0])
+
+        def __str__(self):
+                s = "S-%u-%u" % (self.revision, self.identifier_authority)
+
+                for x in self.sub_authority:
+                        s += '-%u' % x
+                return s
+
+
+class ACE:
+        '''
+        ACE implements a Windows ACE as per MS-DTYP:2.4.4.
+        '''
+        def __init__(self, buf):
+                self.type = buf[0]
+                self.flags = buf[1]
+                self.size = struct.unpack_from('<H', buf, 2)[0]
+                self.raw = buf[:self.size]
+                if self.type in [0, 1]:
+                        self.mask = struct.unpack_from('<I', buf, 4)[0]
+                        self.sid = SID(buf[8:])
+
+        def __str__(self):
+                s = 'Type:0x%02x ' % (self.type)
+                s += 'Flags:0x%02x ' % (self.flags)
+                if self.type in [0, 1]:
+                        s += 'Mask:0x%02x SID:%s' % (self.mask, self.sid)
+                else:
+                        for i in self.raw[4:]:
+                                s += '%02x' % (i)
+
+                return s
+
+        class Type(enum.Enum):
+                ALLOWED = 0
+                DENIED = 1
+
+                def __str__(self):
+                        return self.name
+
+
+class ACL:
+        '''
+        ACL implements a Windows ACL as per MS-DTYP:2.4.5.
+        '''
+        def __init__(self, buf):
+                self.revision = buf[0]
+                if self.revision != 2 and self.revision != 4:
+                        raise ValueError('ACL Revision %d '
+                                         'not supported' % (self.revision))
+                acl = buf[8:8 + struct.unpack_from('<H', buf, 2)[0]]
+                self.ace = []
+                for i in range(struct.unpack_from('<H', buf, 4)[0]):
+                        ace = ACE(acl)
+                        self.ace.append(ace)
+                        acl = acl[ace.size:]
+
+        def __str__(self):
+                s = 'Revision:0x%02x\n' % (self.revision)
+                for ace in self.ace:
+                        s += '%s\n' % (ace)
+                return s
+
+
+class SecurityDescriptor:
+        '''
+        SecurityDescriptor implements a Windows Security Descriptor as per
+        MS-DTYP:2.4.6.
+        '''
+        def __init__(self, buf):
+                self.revision = buf[0]
+                if self.revision != 1:
+                        raise ValueError('Security Descriptor Revision %d '
+                                         'not supported' % (self.revision))
+                self.control = struct.unpack_from('<H', buf, 2)
+
+                self.owner = SID(buf[struct.unpack_from('<I', buf, 4)[0]:])
+                self.group = SID(buf[struct.unpack_from('<I', buf, 8)[0]:])
+
+                self.dacl = ACL(buf[struct.unpack_from('<I', buf, 16)[0]:])
+
+        def __str__(self):
+                s = 'Revision:%u\n' % (self.revision)
+                s += 'Control:0x%04x\n' % (self.control)
+                s += 'Owner:%s\n' % (self.owner)
+                s += 'Group:%s\n' % (self.group)
+                s += 'DACL:\n%s' % (self.dacl)
+                return s
+
+
+def main():
+        if len(sys.argv) != 2:
+                usage()
+
+        buf = array.array('B', [0] * 16384)
+
+        struct.pack_into('<I', buf, 0, 3) # InfoType: Security
+        struct.pack_into('<I', buf, 8, 7) # AddInfo: Group/Owner/Dacl
+        struct.pack_into('<I', buf, 16, 16384) # InputBufferLength
+        
+        f = os.open(sys.argv[1], os.O_RDONLY)
+        st = os.fstat(f)
+        fcntl.ioctl(f, CIFS_QUERY_INFO, buf, 1)
+	os.close(f)
+
+        s = struct.unpack_from('<I', buf, 16)
+
+        sd = SecurityDescriptor(buf[24:24 + s[0]])
+
+        root = Tk()
+        app = App(root, sd, stat.S_ISDIR(st.st_mode))
+        root.mainloop()
+
+
+if __name__ == "__main__":
+	main()
+